With the General Data Protection Regulation (GDPR), enforced on May 25, 2018, SNP has put together a list of the top 10 FAQs for GDPR to check how well your plans are shaping up.
1. What does GDPR stand for?
GDPR is short for the ‘General Data Protection Regulation,’ which is a new regulation in European Union law on data protection and privacy for all individuals within the EU. The first draft of the GDPR appeared back in 2012. After four years of negotiation and debate, the law became enforceable on May 25, 2018.
2. Why is GDPR important?
For EU citizens, GDPR sees the introduction of new rights. Consumers will have greater control over the data organizations hold on them—including a say on when it should be deleted or transferred to other parties. For EU businesses as well as international businesses with operations or customers in the EU, one of the biggest challenges involves ensuring that customers are able to exercise their rights. It also involves an ongoing review of technical and organizational measures to ensure personal data is being adequately protected at all times.
3. What are the GDPR requirements?
All organizations need to consider the legislation as a whole and conduct an analysis of the impact of GDPR on their activities. Some of the most significant requirements are:
- Many organizations will need to appoint a Data Protection Officer: This applies to companies that regularly and systematically process personal data or monitor data subjects.
- Accountability: Being compliant isn’t enough. You have to show that you are abiding by the rules. This includes maintaining an up-to-date register of data processing activities. In the event of a security breach, it also involves being able to give a full account of what happened and the preventative measures you had in place when reporting that breach.
- Privacy by default: Protection of personal data needs to be hardwired into your processes and systems.
- Deletion and portability: Companies are obligated to delete data when no longer necessary and transfer it elsewhere if requested by the people it refers to.
- Privacy Impact Assessments are critical: Where any new or existing data processing activity will result in a high risk to the rights and freedoms of individuals, companies will be required to carry out a systematic review of how best to safeguard customers’ rights.
- Transparency is vital: An organization needs to be upfront with customers, employees, and others about how their personal data is processed.
4. Who does GDPR apply to?
GDPR applies to natural or legal persons, public authorities, agencies or other bodies processing personal data.
5. How should my business prepare for GDPR?
- Build awareness: From on-the-ground IT to board level, ensure that decision-makers and key staff are aware that the law is changing. All individuals involved in the GDPR-readiness project should be aware of their responsibilities, including what they need to do and when.
- Map your data: What personal data do you hold? What is its purpose? Where is it stored? Where did it come from and who do you share it with? For this type of fundamental data audit, having the right tool in place to help you map, visualize and manage your data is invaluable.
- Consider designating a Data Protection Officer: Decide who will take responsibility for compliance and where this role will sit within your organizational structure.
- Review your security breach prevention procedures: This will involve a security audit to ensure that the data protection measures you have in place are adequate. Make sure you have the right procedures in place to detect, respond to and report breaches in accordance with the regulation.
- Review and refresh your consent procedure: Look at how you obtain, record and manage consent. Consider whether any changes may be needed to your existing procedures as well as your privacy notices.
- Address scenarios on how you will equip individuals to exercise their rights: If a customer asks for a copy of the data you hold on them, will you be able to provide it? What happens if someone asks you to delete or transfer their data to another party? Review your infrastructure and procedures to ensure that if you receive such requests, you can comply.
6. What will it cost my company to prepare for GDPR?
It depends on where you are currently in terms of data protection. Do you already strive to follow best practice in areas such as mapping, processing, transparency, and security? If so, absorbing the new requirements of GDPR need not be a costly ordeal.
How much you will need to invest in new technology and processes will depend on the complexity, volume and sensitivity of the personal data you hold—and whether your current technology allows you to both safeguard the data adequately while respecting data subjects’ rights.
7. What type of data is protected under the GDPR?
Any data or set of data that refers to a physical person who is alive is considered personal data. Some examples of personal data include:
- Identity information (e.g. name, address, telephone number, credit card number)
- Web data (e.g. location data, IP address, cookies and RFID tags)
- Data on sexual orientation
- Data on political opinions
- Racial or ethnic data
- Health and biometric data
8. Who owns personal data under the GDPR?
The GDPR does not deal with the question of data ownership, but it does make clear that data subjects should be in control of how their data is processed.
9. What is the “right to be forgotten”?
The right to be forgotten means that individuals will have a right to have their personal data erased if there is no legitimate reason for you to keep it. For instance, if you process data regarding your customers based on their consent, you will have to erase the data if they withdraw consent later on.
10. What does privacy by design mean?
Whether you are starting a new project, updating your dispatch process or building a new marketing database, GDPR demands hardwiring data protection into your processes, tools, and projects at the earliest stage possible.
For more details of information on GDPR compliance and policies, contact an SNP representative.